From: Oliver Neukum Date: Mon, 30 Jun 2008 12:33:57 +0000 (+0200) Subject: USB: fix double kfree in ipaq in error case X-Git-Tag: v2.6.27-rc1~946^2~5 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df3e1ab7334279bc744344bcf05272dc8b985d3d;p=linux-2.6 USB: fix double kfree in ipaq in error case in the error case the ipaq driver leaves a dangling pointer to already freed memory that will be freed again. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/serial/ipaq.c b/drivers/usb/serial/ipaq.c index d9fb3768a2..80d9ec5570 100644 --- a/drivers/usb/serial/ipaq.c +++ b/drivers/usb/serial/ipaq.c @@ -646,12 +646,13 @@ static int ipaq_open(struct usb_serial_port *port, struct file *filp) */ kfree(port->bulk_in_buffer); - kfree(port->bulk_out_buffer); port->bulk_in_buffer = kmalloc(URBDATA_SIZE, GFP_KERNEL); if (port->bulk_in_buffer == NULL) { port->bulk_out_buffer = NULL; /* prevent double free */ goto enomem; } + + kfree(port->bulk_out_buffer); port->bulk_out_buffer = kmalloc(URBDATA_SIZE, GFP_KERNEL); if (port->bulk_out_buffer == NULL) { kfree(port->bulk_in_buffer);